This paper addresses the stringent privacy challenges in federated telemetry under repeated, unpredictable local intrusions—where device states may be fully compromised—rendering conventional privacy models inadequate. Method: We propose the first formal local pan-privacy model, rigorously defining privacy requirements such that event counts remain provably indistinguishable even when all local device states are exposed. We prove an inherent tension between information-theoretic differential privacy and utility in telemetry under strong intrusion assumptions. To resolve it, we design a distributed perturbation protocol combining lightweight obfuscation with verifiable secret sharing, requiring no trusted central authority or global synchronization. Contribution/Results: Our scheme provides provable information-theoretic privacy guarantees, with constant O(1) communication and computation overhead per device, and scales to millions of concurrent clients. Empirical evaluation on real-world telemetry workloads confirms low latency and high practical feasibility.

Pan-privacy was proposed by Dwork et al. as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system's internal state. Motivated by federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.